backtop

Print E-mail del.icio.us 18 comment(s) - last by Zoomer.. on Jan 24 at 12:04 PM
Identity thieves install spyware to monitor transactions from the inside

In a press release timed to coincide with the inauguration of President Barack Obama, credit card processor Heartland Payment Systems announced Tuesday that it suffered a grievous security breach sometime in 2008, allowing hackers the opportunity to steal credit card information on what is possibly more than 100 million accounts.

Heartland is the sixth largest payment processor in the country, and specializes in transaction processing for small-to-medium-sized restaurants and retailers. According to Wired’s Thread Level, it processes more than 100 million transactions a month.

Federal investigators determined the source of the breach only last week. Spyware installed somewhere on the company’s internal network that sniffed unencrypted credit card transactions as they passed through Heartland’s systems.

“Heartland believes the intrusion is [now] contained,” reads the press release.

Actual damage assessments are still in progress, and the real question is just how much data the malware was able to capture. Heartland CFO and president Robert Baldwin, in an interview with BankInfoSecurity.com, said his company was confident that the only data picked up was cardholders’ names and credit card numbers.

Baldwin would not speculate on the actual number of credit card accounts exposed. The company’s press release, however, could confirm that the breach had no effect on the company’s other services, which include payroll and check processing, micropayment solutions, and its “recently acquired” Network Services and Chockstone processing platforms. Similarly, cardholder’s addresses, PIN numbers, and other personal data were also unaffected.

The unknown hackers’ sniffers were able to pick up credit card numbers because the data is sent unencrypted over Heartland’s internal network, a policy that Baldin justified as necessary “to get the authorization request out.”

Late last month, various blogs reported a number of mysterious, fraudulent sub-25-cent transactions appearing on readers’ and bloggers’ credit card statements, coming from a nonexistent company called “Adele Services”. While it appears these events are unrelated, some consider the timing suspicious.

“There is no hard evidence that the company's data leak was responsible for the sudden surge of mysterious microtransaction fees we reported in early December,” writes Ars Technica’s Joel Hruska, “but the timing is extremely coincidental. The December attacks were never successfully attributed to any single company or credit card, but instead affected a seemingly unrelated group of people.”

“Heartland may — and I do stress may — have been the hidden link between them,” he said.

Comments     Threshold


This article is over a month old, voting and posting comments is disabled
Timing
By Brandon Hill (blog) on 1/21/2009 11:37:29 AM , Rating: 3
quote:
In a press release timed to coincide with the inauguration of President Barack Obama, credit card processor Heartland Payment Systems announced Tuesday


That's a pretty damn big smokescreen :)




RE: Timing
By bighairycamel on 1/21/2009 11:44:19 AM , Rating: 4
quote:
Heartland CFO and president Robert Baldwin, in an interview with BankInfoSecurity.com, said his company was confident that the only data picked up was cardholders’ names and credit card numbers.

This part made me laugh... I guess we should just let them off the hook now huh?


RE: Timing
By DASQ on 1/21/2009 11:47:30 AM , Rating: 2
"only" being the key word there ;)


RE: Timing
By soydeedo on 1/21/2009 12:02:54 PM , Rating: 2
Yeah, of course it's still cause for concern, but I was under the impression that you needed expiration dates at a minimum for any type of credit card transaction. Or is that just a fraud prevention method used by retailers rather than the credit issuers themselves?


RE: Timing
By bighairycamel on 1/21/2009 12:09:36 PM , Rating: 3
Well unfortunately there are certain sites/services that don't require a matching name to start an account (World of Warcraft and iTunes, etc.). All they would have to do is create an algorithm to input different expiration dates and see which one works.

I had to cancel a card one time because of this. I had WoW, iTunes and Lineage subscriptions show up on my card. After doing some reasearch I found out they didn't actually have my card info but were able to randomly generate a working card number, which they verified as working through those sites.


RE: Timing
By grenableu on 1/21/2009 12:27:00 PM , Rating: 2
Yep, there are a dozen ways to get around a missing expiration date.


RE: Timing
By Solandri on 1/21/2009 6:26:04 PM , Rating: 3
Even canceling a card is not enough. I lost my Amex and called them to cancel it. I asked if there were any fraudulent charges on it yet and they said no. So I figured all was good. Got my new card a couple days later, different number and all.

Fast-forward 5 months. I was reviewing my old statements and I noticed a charge I didn't recognize on the new card issued to me after I canceled the lost card. I did some investigating and it turns out someone placed a manual charge (you know, where they run your card through the machine to make a carbon copy) on the old card. When that card turned out to be canceled, for some reason CC policy is to forward the charge to the new card on the account. Maybe because a lot of time can pass between when these manual charges are made and when they're processed? I've since found out that lots of scammers take advantage of this. I've read reports that it even works on those one-time-use credit card numbers.

Because it was over 90 days old, they wouldn't let me dispute it either.


RE: Timing
By Jimbo1234 on 1/21/2009 1:18:49 PM , Rating: 5
Yes, iTunes sucks when it comes to this. My credit card number was stolen about 6 months ago, and iTunes just kept letting stuff through. When you call them to dispute things, they ask for your iTunes account. Guess what I don't have one and even if I did it would be irrelevant. Then they tell you they only deal with this over e-mail. Fvck you Apple!

Luckily my credit union provides me with 0 liability on all my accounts and I did get my $ back.


RE: Timing
By JediJeb on 1/21/2009 2:55:55 PM , Rating: 2
I got hit with this almost 10 years ago on my debit card. Back then they called it "Spinning", akin to rolling the dice to generate a card number, exp date and CVV. They crank out thousands and run them through until they get a hit that works. I started having charges showing up for utilities payments in Nevada, where I had never been in my life. I got the money back through the bank, but while doing the investigating I found out about the trick from a Power Company in Nevada that had been hit hard by the chargebacks. Being able to steal the name and number would make this process much faster and easier.

If consumers were just patient enough to allow for the extra time that full authentication would take then this would not be as large a problem as it is now. But how many people want to even wait 2 or 3 minutes for an online payment or card swipe to go through, not many I am sure.


RE: Timing
By JDHack42 on 1/21/2009 4:21:30 PM , Rating: 2
It's not like guessing a valid credit card number is all that hard. A flunky college roommate used to drum up fake card numbers for those phone sex lines.

If you steal $1.00 from 1,000 people, is that 1 count of grand larceny or 1,000 counts of petit larceny?


RE: Timing
By Dreifort on 1/22/2009 12:22:27 PM , Rating: 2
glad they didn't get my playboy.com login info...whew! talk about dodging a bullet.


Bye
By porkpie on 1/21/2009 11:35:08 AM , Rating: 5
Bye Heartland, nice knowing ya.




The CIO should be fired.
By mxnerd on 1/21/2009 8:50:45 PM , Rating: 2
What the heck this has anything to do with Inauguration?

On the other hand, why the heck the company did not encrypt the internal network traffic for credit card transactions? Why this kind of mistake is still happening in these companies?

How lame is their IT department? Maybe some kind of external auditing of computer security is required on a regular basis.




RE: The CIO should be fired.
By Zoomer on 1/24/2009 12:04:44 PM , Rating: 2
They are taking advantage of it. With the inauguration, their press release might be missed by mainstream media, or at worst, buried in page 12.


Heartland Hemorrhages
By SlipDizzy on 1/21/2009 11:57:46 AM , Rating: 2
quote:
Heartland is the sixth largest payment processor in the country, and specialized in transaction processing for small-to-medium-sized restaurants and retailers.


Well, I guess we know who won't be making it to fifth place.




Lol
By MERKJONES on 1/22/2009 12:00:12 AM , Rating: 2
quote:
“There is no hard evidence that the company's data leak was responsible for the sudden surge of mysterious microtransaction fees we reported in early December,”


Anyone think of "Office Space" when reading this? Damn it feels good to be a gangsta




"I want people to see my movies in the best formats possible. For [Paramount] to deny people who have Blu-ray sucks!" -- Movie Director Michael Bay

DailyTech Poll
Do you use copy/paste on your smartphone? 




7 Comments









botimage
Copyright 2010 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki